This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Malspam, DoublePulsar and Hidden Tear ransomware

Malspam, DoublePulsar and Hidden Tear ransomware

AhmedSonbol1
Employee AhmedSonbol1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-10-10 04:57 PM

A new malspam campaign has been observed on October 6th 2017 spreading DoublePulsar via EternalBlue exploit, and Hidden Tear ransomware. Based on the delivery documents and ransom notes, the campaign looks to be targeting German speaking users.

 

EternalBlue exploits a vulnerability in the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests giving the attacker an opportunity to execute code on the target server [1]. Microsoft has issued a patch for the vulnerability back in March 2017 but the exploit was used as part of the WannaCry ransomware attack in May 2017 and NotPetya attack in June 2017. DoublePulsar is a backdoor implant that was used alongside EternalBlue. Hidden Tear is an open source ransomware family. Malware authors have built different variants on top of its code base that vary from each other in different ways such as the payment methods, the encryption techniques and which files to consider for encryption [2].

 

The delivery document (PRELIMINARY_KAPSCH_SECURITY_NIGHT_2017_WORD_DROPPER.doc) uses a macro to drop the malicious payload to the victim machine:

 

delivery-doc.jpg

 

Submitting the delivery document to RSA pre-release What's This File service shows the following malicious characteristics including the auto-launch script to download a payload from a domain over SSL: 

 

hiddenteat-wtf-1.png

 

hiddentear-wtf-2.png

 

hiddentear-script-1.png

 

The powershell script (launcher.ps1.txt) has the capability of mapping the victim network:

 

hiddentear-script-2.png

 

It can also download a zipped filed 'EB_LAUNCHER.zip' and extracts it on the victim machine:

 

hiddentear-script-4.png

 

The request to download 'EB_LAUNCHER.zip' was observed in NetWitness Packets:

 

hiddentear-nw-session-1.png

 

hiddentear-nw-files-1.png

 

hiddentear-nw-investigate.png

 

Finally, the script proceeds to deliver:

 

hiddentear-script-5.png

 

First, it tries to run a powershell script (Execute-EB-Launcher.ps1) to attempt to infect machines in the network that could be vulnerable to EternalBlue exploit and to implant DoublePulsar in case the attempt was successful:

 

hiddentear-ps-info.png

 

hiddentear-eb-launch.png

In this scenario, no neighbor machines were compromised. The malicious powershell script (launcher.ps1.txt) finally downloads and launches a Hidden Tear variant:

 

hiddentear-nw-session-2.png

 

hiddentear-nw-files-2.png

 

hiddentear-nw-investigate-2.png

 

Upon execution, the malware encrypts the victim files and presents the following ransom note:

 

hiddentear-note.png

 

Post-infection traffic is over SSL:

 

hiddentear-post-infection.png

 

The payment websites were down at the time of this writing.

 

Delivery documents (SHA256):

  • 8ad3c6df4a96b97279e50a39fe4c2662d8da7699c54cb2582a5c0ae7ae358334
  • 4592803dfdd47c4bfffad037695d3be4566c38ad46132e55c5679c7eb6f029da

EB_LAUNCHER.zip (SHA256):

  • 22a3a1c609b678b5eed59b48eed47513996998ab99841773d5b0f316fc9e7528

Hidden Tear ransomware (SHA256):

  • bf9d54c7b894065d6f3ac59da093241ee0c0c545a323c9d8ae8c8f8a9b14d591

 

References:

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144 
  2. Ransomware Recap: The Ongoing Development of Hidden Tear Variants - Security News - Trend Micro USA

 

47874-wb-net-FirstWatch-banner-1792x98.png

  • backdoor
  • doublepulsar
  • eternalblue
  • Exploit
  • firstwatch
  • hiddentear
  • malspam
  • NetWitness
  • netwitness packets
  • NW
  • NWP
  • powershell
  • ransomware
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
  • what's this file
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.